Michael Smith is the field CTO at cybersecurity firm Neustar Security Services, which provides him with a insider’s view into what role hype plays in the industry.
Cybersecurity is constantly in the news as a result of the unrelenting assaults from ransomware gangs and the threat from black hat hackers deployed by Kremlin gremlins to cripple Ukraine’s infrastructure. Although, the expected Russian cyberwar in Ukraine has so far failed to materialise.
Cyberattacks like the SolarWinds, JBS and the Irish health service hacks have put the need to strengthen digital defences front and centre for many top executives. The hype around cybersecurity has jumped as a result.
Looking at Google searches over time, it’s clear that the trend is only pointing upwards. Global googles for “cybersecurity” has grown every year since 2013.
Investment into the industry has grown in tandem with the hype around cybersecurity on Google searches. Venture capitalists (VC) injected just over $1bn into the industry across 130 deals in 2013, according to new data retrieved from research firm GlobalData on July 28. Over the following years, the annual investment grew year on year, albeit with a slight drop in 2020.
However, investment levels rebounded with a vengeance in 2021. VCs backed cybersecurity companies to the tune of $26.3bn across 729 deals last year. Investment levels seems to have dropped slightly this year. So far, investors have only topped up the coffers of cybersecurity companies to the tune of $9.4bn this year.
The drop could be part of the overall contraction of the tech industry that we have seen over the past six months. Tech stocks have plunged and startups have suffered down rounds during that period, stoking fears that the tech bubble might be about to pop.
Whether or not the tech bubble bursting will affect the hype around cybersecurity remains to be seen.
In this, the latest of our series of CTO Talks, Smith talks about the cybersecurity hype, his past as a Russian translator for the US army and the joy of blowing stuff up.
Eric Johansson: Tell us a bit about yourself – how did you end up in your current role?
Michael Smith: I have had all sorts of detours – at 17, I joined the army to escape my home state of Idaho and worked as a Russian translator and intelligence specialist for eight years. From here, I went onto Linux system administration and local acceptable mismatch program (LAMP) stack programming during the Dotcom era as the CTO of an eCommerce start-up, before moving to Washington where I spent 10 years working across several hybrid roles involving security management, risk, and compliance.
Where did your interest in tech come from?
I started programming in the late 1980s and after my early experiences, I really wanted to do a computer-related job in the army, but there were not many options at the time so I looked to gain outside experience. While I was stationed in Germany, I taught myself system administration and when I got off active duty, I volunteered with the local Linux User’s Group and fixed all manner of systems every Thursday night, sometimes until midnight. I parlayed that into my first IT job.
What do people get wrong about cybersecurity?
It is a constant losing battle. Cybersecurity sits as a nexus between security, cost and usability, so the space is designed to be constantly in conflict with one party or another. The first step to recovery is to admit that you will inevitably make a mistake or there will always be a flaw in your security, so it is about finding a balance among the equities, not perfection.
How do you separate hype from genuine innovation?
The cybersecurity industry is notorious for the hype cycle. Every year there is a new trend that is usually recycled technology with new paint and a bunch of buzzword stickers. For me, I look at what are the use cases and the problems this technology is solving – that’s how you cut through the hype.
For instance, we just rolled out a separate infrastructure for authoritative DNS that solves some interesting problems with using two different infrastructure providers. DNS is a very mature technology and that’s a fairly abstract set of use cases that are hard to visualize, so it’s very tempting to fall back on ‘hype’ to explain it.
What's the most important thing happening in your field at the moment?
Controls efficacy and log analysis are everything. With problems like detecting advanced web-crawling bots, you are required to scan artificial intelligence (AI) or machine learning (ML) with a ‘cheat code’ in order to get detection and blocking in real-time and at scale. I am really interested in that bridge from ‘new-tech’ which is comprehensive but requires more resources, to older tech that is far smaller and faster – its where cybersecurity is heading.
What one piece of advice would you offer to other CTOs?
There are two types of leaders in any organisation, those that are leaders by position and then an unofficial group of leaders that we lovingly refer to in the army as "The E4 Mafia" and what Gene Kim calls "The Rebellion" in his book The Unicorn Project. Find those leaders – the tech leads, the architects, the people with the organisational knowledge – and steer them in the right direction. They can mobilise each other for great justice if they have the right support and they can become a phenomenal resource for you to find out what really is happening inside the organisation.
What’s the most surprising thing about your job?
I’m surprised right now at how rapidly I fit into my role, now that I’ve been in it for three months. I woke up one day and looked around and I’m now this old-school infrastructure and web application guy that knows a lot of things and people are looking to me for advice and experience. It’s just like the commercials: “We know a thing or two because we’ve seen a thing or two.”
What’s the biggest technological challenge facing humanity?
“IT security nerd challenges aside, something that I think about a lot is that the digital divide also coincides with the income divide. This is a job field with a higher demand for staff than our ability to create workers and it has led to higher salaries for my peers all around, of course, everyone’s experiences differ. It all comes back to re-education and upskilling of displaced and/or redundant workers. This has affected my hometown and my family in several ways. I think boot camps have a place here, as does traditional education.
What’s the strangest thing you’ve ever done for fun?
I was previously an infantryman, so I’ve had some interesting experiences with things that “go boom”. I remember the day that they handed me a block of C4 and said, “today we are going to teach you how to blow-up doors”. I literally thought to myself “31 years of life, 13 years in the army, all culminating in this one day of making things ‘go kablooey’.”
In another life you’d be?
I really wanted to be a fisheries biologist when I was younger. We were not taught maths or English very well in high school, but we had classes in all the outdoors activities, from flyfishing, white water kayaking to mountain biking.
I’ve always been fascinated by water. I volunteer with Project Healing Waters to teach flyfishing to veterans and I have around 270 scuba dives and around 100 macro photography dives. I use my hyperfocus skills to take pictures of 5mm-long creatures like nudibranchs and shrimp on the ocean floor.
GlobalData is the parent company of Verdict and its sister publications.